feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies#107
feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies#107suse-coder wants to merge 55 commits into
Conversation
Add helmfile.yaml composing OpenCloud + Keycloak + OpenLDAP + ClamAV as separate charts, based on SOURCE helmfile.yaml (564 lines). Releases: - opencloud-secrets: shared OIDC, LDAP bind, and S3 credentials - keycloak: bitnami/keycloak v24.3.0 with auto-imported openCloud realm - openldap: osixia/openldap with custom schema + LDIF (users/groups) - clamav: wiremind/clamav v3.7.1 with 2 replicas - opencloud: monolithic chart with full SOURCE configuration Configuration sections from SOURCE helmfile: - Logging, external domain, ingress/gateway - OIDC/external user management (claims, role assignment, LDAP) - Secret refs, insecure settings - Quotas, antivirus, SMTP - OPA Rego policies (proxy, postprocessing, utils) - Apps integration (WOPI with Collabora + OnlyOffice) - Web extensions (6 init containers) Migration plan reference: Phase 0, Task 0.2
Add 9 unit tests verifying external OIDC and LDAP configuration: - OC_OIDC_ISSUER set from external issuer URL - WEB_OIDC_METADATA_URL derived from issuer URL - Keycloak deployment disabled when oidc.enabled=false - Keycloak deployment created when oidc.enabled=true - LDAP bind passwords use internal IDM secrets by default (documents gap) - S3 credentials reference when decomposeds3 is used - External user management with admin UUID - LDAP connection configuration for external user management Test results: 6 suites, 24 tests, all passing. Note: LDAP bind secret tests document a gap to be fixed in Phase 1 (external ldap-bind-secrets not yet supported in deployment template). Migration plan reference: Phase 0, Task 0.4
BREAKING CHANGE: Integrated Keycloak and PostgreSQL deployments removed. OpenCloud now requires an external OIDC provider (e.g., Keycloak deployed separately via helmfile). Changes: - Remove templates/keycloak/ directory (7 files) - Remove templates/postgres/ directory (4 files) - Remove files/keycloak/ directory (realm template, entrypoint script) - Update values.yaml: replace oidc.enabled/external with direct oidc.issuerUrl/clientId - Remove postgres section from values.yaml - Update _helpers/tpl.yaml: simplify OIDC helpers, remove keycloak/postgres helpers - Update deployment.yaml: use oidc.issuerUrl directly instead of oidc.enabled/external - Update gateway.yaml: remove Keycloak listener - Update NOTES.txt: remove Keycloak/PostgreSQL references - Update tests: remove Keycloak HTTPRoute/Ingress tests, update OIDC tests Migration: Users must deploy Keycloak separately (e.g., bitnami/keycloak via helmfile) and configure oidc.issuerUrl and oidc.clientId in values.yaml. Test results: 6 suites, 23 tests, all passing. Migration plan reference: Phase 1, Task 1.0
Add Timoni bundles for deploying OpenCloud and dependencies via FluxCD: opencloud bundle: - opencloud.cue: main bundle definition for monolithic chart - runtime.cue: runtime values from ConfigMap/Secrets - configmap.yaml: OpenCloud configuration - secret.yaml: OIDC, LDAP bind, S3 credentials - sa.yaml: Flux ServiceAccount + RBAC openldap bundle (osixia/openldap): - openldap.cue: bundle with custom LDIF + OpenCloud schema - runtime.cue: runtime values from ConfigMap/Secrets - configmap.yaml: LDAP configuration - secret.yaml: admin credentials - sa.yaml: Flux ServiceAccount + RBAC clamav bundle (wiremind/clamav): - clamav.cue: bundle with HA config (2 replicas, PDB, topology spread) - runtime.cue: runtime values from ConfigMap - configmap.yaml: ClamAV configuration - sa.yaml: Flux ServiceAccount + RBAC (via service-account instance) Includes README.md with install/upgrade instructions. Test results: 6 suites, 23 tests, all passing. Migration plan reference: Phase 1, Task 1.2
Add antivirus scanning configuration to support ClamAV or ICAP scanners: values.yaml: - opencloud.antivirus.enabled: enable/disable scanning - opencloud.antivirus.infectedFileHandling: abort/continue/delete - opencloud.antivirus.scannerType: clamav or icap - opencloud.antivirus.clamavSocket: ClamAV socket endpoint - opencloud.antivirus.icapUrl: ICAP server URL - opencloud.antivirus.icapService: ICAP service name deployment.yaml: - ANTIVIRUS_ENABLED, ANTIVIRUS_SCANNER_TYPE env vars - ANTIVIRUS_INFECTED_FILE_HANDLING env var - ANTIVIRUS_CLAMAV_SOCKET (when scannerType=clamav) - ANTIVIRUS_ICAP_URL, ANTIVIRUS_ICAP_SERVICE (when scannerType=icap) tests/antivirus_test.yaml: - 8 unit tests covering all antivirus configurations - Tests for clamav scanner type - Tests for icap scanner type - Tests for infected file handling options Test results: 7 suites, 31 tests, all passing. Migration plan reference: Phase 2, Tasks 2.1-2.3
Add support for explicit storage driver selection for user files: values.yaml: - opencloud.storage.usersDriver: explicit driver selection - decomposeds3 (default when mode=s3) - posix (default when mode=posixfs) - decomposed (metadata only, no blob storage) - If usersDriver is not set, derives from mode field deployment.yaml: - Updated STORAGE_USERS_DRIVER to use explicit usersDriver if set - Falls back to mode-based selection if usersDriver is empty tests/storage_test.yaml: - 9 unit tests covering all storage driver configurations - Tests for default behavior (mode-based) - Tests for explicit driver override - Tests for posixfs and s3 configurations Test results: 8 suites, 40 tests, all passing. Migration plan reference: Phase 3, Tasks 3.1-3.3
…k 4.1-4.2) Add comprehensive JSON Schema for values.yaml validation: - Global settings (domain, TLS, image) - OIDC configuration (issuerUrl, clientId, CORS) - Secret references (LDAP, S3) - Features (external user management, virusscan, email) - OpenCloud settings (replicas, logLevel, storage, NATS, SMTP, antivirus) - HTTPRoute and Ingress configuration - Collabora settings Schema validates: - Required formats (hostname, uri, uuid) - Enum values (logLevel, storage drivers, access modes, etc.) - Type constraints (boolean, integer, string) Test results: Schema validation working correctly. Migration plan reference: Phase 4, Tasks 4.1-4.2
Add mutual exclusion assertion and comprehensive Collabora tests: deployment.yaml: - Add mutual exclusion check: fails if both internal and external Collabora enabled - WOPI proof key generation already present (coolconfig generate-proof-key) tests/collabora_test.yaml: - 10 unit tests covering all Collabora configurations - Tests for mutual exclusion (internal vs external) - Tests for WOPI proof key generation - Tests for WOPI alias group configuration - Tests for SSL configuration (enabled/disabled) - Tests for MKNOD capability - Tests for liveness and readiness probes Test results: 9 suites, 50 tests, all passing. Migration plan reference: Phase 5, Tasks 5.1-5.3
…hase 6) - Add ServiceMonitor template for Prometheus monitoring - Add extra-resources template for arbitrary K8s resources - Add custom CA chain helper for inter-service TLS - Add OPA Rego policies ConfigMap for file/MIME restrictions - Add monitoring, extraResources, customCA, and policies sections to values.yaml - Add comprehensive tests for all new features (monitoring_test.yaml) - Fix ingress section indentation in values.yaml All 60 tests pass across 10 test suites.
- Enable HTTPS with TLS termination via cilium-gateway - Configure Keycloak OIDC with proper redirect URIs and scopes - Add HTTP→HTTPS redirect routes for all services - Enable Collabora with jail security fixes (child_root_path, capabilities) - Enable ClamAV virus scanning with infected file handling - Enable OPA policies for file type restrictions - Fix CSP to use HTTPS URLs - Update config.json to use HTTPS scheme - Add proper section names for all HTTPRoutes matching gateway listeners
- Replace helm install with helmfile sync in Quick Start - Update prerequisites to mention Gateway API compatible ingress - Update component list (ClamAV, OPA, OpenLDAP instead of MinIO) - Update NOTES.txt with HTTPS URLs instead of port-forward - Update storage section to reflect ceph-cephfs RWX - Add enabled features section to NOTES.txt - Update production readiness checklist
- Update component list (OpenLDAP, ClamAV instead of PostgreSQL, MinIO) - Add helmfile sync as primary installation method - Update prerequisites for Kubernetes 1.33+ and Gateway API - Update installation examples with correct gateway section names
|
Do you know if "{"level":"error","service":"storage-users","host.name":"opencloud-opencloud-6f8488f87b-g47fb","pkg":"rgrpc","driver":"posix","error":"error: not found: record not found in cache","path":"/var/lib/opencloud/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/3b","time":"2026-06-06T20:49:12Z","line":"github.com/opencloud-eu/reva/v2@v2.46.2-0.20260602061404-0e975e5456eb/pkg/storage/fs/posix/tree/assimilation.go:991","message":"could not get ids for path"} is normal I guess you had that also |
…ncloud.eu to CSP - Add frontendCheckForUpdates value (default: false) to disable update checks - Make FRONTEND_CHECK_FOR_UPDATES environment variable configurable via values - Add https://update.opencloud.eu/ to CSP connect-src to allow update checks when enabled - Update helmfile to disable update checks by default
- Enable TLS, posixfs storage with RWX access mode - Enable antivirus (ClamAV), OPA policies, Collabora - Add httpRoute gateway sectionName configuration - Add frontendCheckForUpdates setting - Update runtime.cue, opencloud.cue, and configmap.yaml
- Second instance uses opencloud2.test domains - Shares Keycloak and OpenLDAP with first instance - Uses opencloud2 sectionName for HTTPRoute - Commented out by default, uncomment to deploy
- Comment out opencloud2 instance in helmfile (multi-tenant example) - Remove unused OIDC credentials from Timoni secret.yaml - Update NOTES.txt to remove Keycloak section when OIDC is configured - Make deployment strategy conditional on RWX access mode
- Add decomposed driver configuration in values.yaml - Add STORAGE_USERS_OC_MAX_CONCURRENCY env var for decomposed driver - Support decomposed driver in deployment template alongside posixfs and decomposeds3
- Add decomposed object with maxConcurrency property to storage schema
…ction - Add warning about CephFS snapshot/clone issues with posixfs mode - Recommend decomposed driver as alternative for CephFS environments - Add decomposed storage settings table to README - Add conditional warning in NOTES.txt when posixfs is used
- Add decomposed storage mode to values.yaml and schema - Implement decomposed PVC, volume mount, and strategy logic - Update deployment template to support decomposed driver - Add CephFS backup warning for posixfs mode - Update helmfile with decomposedfs configuration - Add data PVC size configuration to helmfile - Update README with decomposed storage settings - Add conditional warning in NOTES.txt for posixfs + CephFS
- Update Chart.yaml version from 2.4.3 to 2.4.4 - Keep 2.4.3 entry in version table, add 2.4.4 - Update Timoni deployment version references
|
You deploy opencloud and all the stuff with helmfile and not with helm or? |
Yes for testing I just run the helmfile. For Prod I use timoni (and in the future kind: HelmChart). |
|
But I think the future is going away from helmfiles -> to yaml based HelmRepositories and HelmCharts (multiple yaml) from https://fluxoperator.dev/docs/charts/flux-operator/ I wanted to try it out, yet not had time for it. But it is how to do it right (if one is not using timoni). |
|
Yeah I use the helmrepository and helmrelease already with e.g.: I think this is also better than using Timoni. I would prefer to use YAML-based files; however, I'm generally more of a fan of JSON, especially for tools like Terraform. |
|
FYI: I am on vacation right now . We can discuss a little bit here, but I can´t review such a big pr for the next 1-2 weeks right now. |
good holiday |
|
One can test with https://testfile.org/all-pdf-sample-test-file-download-direct/ |
|
@suse-coder I’m open to using a different Tika image. Looking at this PR, how should we proceed? As discussed, we don’t want to introduce Helmfile or Timoni. What would be the best next step from your perspective? |
…g to v7.2.0 (opencloud-eu#109) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…loud-eu#104) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Replace helm install with helmfile sync in Quick Start - Update prerequisites to mention Gateway API compatible ingress - Update component list (ClamAV, OPA, OpenLDAP instead of MinIO) - Update NOTES.txt with HTTPS URLs instead of port-forward - Update storage section to reflect ceph-cephfs RWX - Add enabled features section to NOTES.txt - Update production readiness checklist
…6); add full realm import with groups clientScope and admin UUID for autoprovisioning
- Remove deployments/helm (helmfile), deployments/timoni bundles, and the old deployments/flux (per-component -rset.yaml shards). - Rename deployments/flux-2 -> deployments/flux so a single directory holds the self-contained FluxCD HelmReleases (keycloak + postgres, openldap, clamav, opencloud, collabora) plus inline realm import / database config / HTTPRoutes. Apply with one kubectl apply -f per component dir. - README Quick Start now documents the single-cli flux apply flow instead of the removed helmfile sync.
- templates/minio/httproute.yaml: add the missing ${prefix}-minio-http
redirect HTTPRoute alongside the existing HTTPS route, mirroring the
collabora / collaboration / opencloud templates.
- templates/gateway/gateway.yaml: rename listeners to ${sectionName}-
<service>-<proto> (opencloud-proxy-http, opencloud-keycloak-http,
opencloud-wopi-http, opencloud-collabora-http, opencloud-minio-http) so
the chart's self-provisioned gateway matches the sectionName the
httproute templates attach to. Add port: 80 explicitly (was variable).
- deployments/flux/opencloud/opencloud.yaml: switch the chart GitRepository
to suse-coder/helm-1 (where this fix lives) as 'opencloud-helm' and set
httpRoute.gateway.sectionName: opencloud so the chart's HTTPRoutes bind
to the matching listeners on the cluster's external cilium-gateway.
…ecret New chart template reads .Values.opencloud.ldap.secretRef (not the legacy secretRefs.ldapSecretRef path) for the LDAP bind password keys (reva-ldap-bind-password / graph-ldap-bind-password). Without this the opencloud container fails CreateContainerConfigError: secret "opencloud-opencloud-ldap" not found. Also update charts/opencloud/README.md: replace the removed helmfile sync Quick Start with the FluxCD kubectl apply -f deployments/flux/... flow.
…econcile Replace the per-file kubectl apply/delete lists with the single kubectl apply -R -f charts/opencloud/deployments/flux/ command (recurses all component subdirs in one shot). Add the matching delete -R one-liner and a flux reconcile loop covering all HelmReleases across namespaces.
When kubectl delete removes the HelmRelease CRs, Flux's helm-controller runs helm uninstall for each, cascading the chart-rendered Deployments / Services / ConfigMaps / HTTPRoutes / Secrets. The keycloak/openldap/clamav YAMLs also embed their Namespace manifest so those cascade; the opencloud namespace is not declared in opencloud.yaml so it must be deleted explicitly. PVCs are retained by Helm to preserve data — delete them manually for a clean slate.
The keycloak/openldap/clamav flux manifests embed their Namespace so kubectl apply -R works on a fresh cluster. opencloud.yaml was the odd one out — it created HelmReleases/Secrets in the opencloud namespace without declaring it, so 'kubectl apply -R -f deployments/flux/' failed with 'namespaces opencloud not found' on a clean cluster.
…mmented Switch the flux opencloud HelmRelease default from S3+MinIO to the decomposed (PVC-backed) storage driver, matching the working /helm chart which uses storageusers.storageBackend.driver: posix. - opencloud.yaml: set opencloud.storage.mode: decomposed with a 60Gi PVC (ReadWriteOnce). Keep the s3/MinIO block and the secretRefs.s3CredentialsSecretRef line as commented-out references so switching back to S3 is a one-block uncomment. - secrets.yaml: comment out the s3secret Secret (no longer needed by default). Uncomment together with the s3 block in opencloud.yaml. - minio: no longer deployed (chart's minio templates gate on storage.mode == s3 && storage.s3.enabled).
…comment RWX option in flux opencloud.yaml - opencloud.yaml: add commented-out 'accessMode: ReadWriteMany' under decomposed.persistence so switching to RWX (multi-replica RollingUpdate) is a one-line uncomment. - charts/opencloud/README.md: add a 'Choosing a storage backend' table covering all four configs (decomposed default, decomposed+RWX, bundled S3/MinIO, external S3) with the exact YAML edits needed for each switch, and a warning about the PVC access mode -> rollout strategy coupling.
The OpenCloud web frontend is served at https://cloud.opencloud.test (TLS terminated at the Cilium Gateway). With global.tls.enabled=false the chart rendered config.json with "server": "http://cloud.opencloud.test", which made the browser block every sub-resource fetch (theme.json, remoteEntry-*.mjs, /capabilities, etc.) as mixed content / CSP violation, producing 'Missing or invalid config' plus a cascade of Failed to fetch errors in the browser console. Setting global.tls.enabled=true makes files/opencloud/config.json.gotmpl emit https:// for the server URL, matching the actual scheme the browser sees.
The chart template gates all PROXY_OIDC_* / WEB_OIDC_* / OC_OIDC_ISSUER
env vars on {{- if .Values.oidc.issuerUrl }}. Without issuerUrl set,
the proxy has no OIDC issuer configured and returns 502 Bad Gateway on
/.well-known/openid-configuration (logs: 'unsupported protocol scheme'
+ 'could not select service eu.opencloud.web.idp from the registry').
The old oidc.enabled + oidc.external block was dead config from the
legacy bundled-keycloak era — the chart never reads those fields.
Replace with the flat oidc.issuerUrl / oidc.clientId that the chart's
_helpers 'opencloud.oidc.issuer' template actually consumes.
…cure Chart defaults both to false, but keycloak.opencloud.test is served over HTTPS with a Cilium-terminated cert (self-signed CA internally), so the opencloud proxy fails TLS verification and returns 502 on /.well-known/openid-configuration. The working /helm helmfile sets both to true, matching this deployment's TLS topology.
|
@Tim-herbie can be merged now. works also with tika. have timoni replaces with bare helmreleases. |
The tika deployment hardcoded JAVA_OPTS=-Xmx3g, which pinned the JVM heap to 3 GiB regardless of the container memory limit. With tika 3.x on a JVM 21 runtime the heap auto-sizes from cgroup limits when no -Xmx is set, matching the opencloud-compose baseline. Expose env via .tika.env (default empty) so users can override JAVA_OPTS or add per-parse timeout sysprops (e.g. tika.server.forkedProcessTimeoutMillis) without forking the template.
Aligns tika requests with the deployed pod's actual usage; limits stay at 4 CPU / 10Gi so transient parsing spikes remain unconstrained.
|
@Tim-herbie Guess you are still on holiday. But it can be merged if you are ready. |
Summary
This PR enables a production-ready HTTPS deployment with OIDC authentication, document collaboration, virus scanning, and security policies.
Key Changes
🔐 HTTPS & TLS
🔑 OIDC Authentication (Keycloak)
📄 Document Collaboration (Collabora)
🦠 Virus Scanning (ClamAV)
🛡️ Security Policies (OPA)
🌐 HTTPRoutes & Gateway
📚 Documentation
Storage
Testing